Thousands of websites get hacked on a daily basis. Actually, thousands out of the many billions of websites on the Internet is quite a low percentage, but if you got unlucky and your website is among those, you need to take it
Unfortunately, very often, website owners are 100% sure that they won't ever be a
- I was unlucky and the plan is to shut down my business.
In this article, I cover that gap and offer you a solid disaster recovery plan if your website got hacked.Once Upon a Time, a Website Got Hacked…
So, if your website was hacked, do these actions immediately:
1. Before going ahead and restoring your website from backup, collect information about the attack, so you or security specialists can analyze it later and find out how the attackers got in.
- Ask your hosting technical support to provide server logs for the relevant period. You should request the following logs: access_log, error_log (web server logs, FTP connection
andfile operation logs), SSH/SFTP connection and file operation logs, control panel action logs, and a copy of the contents of the /var/log folder (for VPS-hosted accounts).
- Make notes of any website issues, including any anomalies you can find, such as main page defacement, spam pages/emails, redirects, blacklisting, new and unrecognized files, etc.
Alsonote the approximate date and time of observations.
- If you have enough disk space, pack the infected version of the entire website before you make any changes or cleanup attempts.
Based on the collected information you can try to determine the reason for the infection. For example, you can check the .htaccess file modification date, and by checking the FTP log, you can find out that the website was hacked using FTP, usually because the FTP password was too weak or was stolen. In general, forensic analysis may be a tough thing to do on your own, so if you are not sure how to proceed, it is better to contact security specialists.
2. Investigate all workstations used to interact with the website by scanning them with a commercial antivirus product. This will help you get rid of any potential trojans or keyloggers.
3. Change all your hosting related passwords for email, the hosting panel, any website CMS admins, FTP/SFTP/SSH users, and database users. It is highly recommended that you set complicated passwords having lower and upper case letters, digits, and more than 7 characters long.
4. If the website stopped working, restore it using a recent backup.What if I don't have a backup?
There is also a high chance that you can restore some data using vendors' packages for your CMS and extensions/plugins. And your web developer might also have a backup.
In other words, even if your website was defaced, completely wiped or heavily damaged by attackers, there is a good chance that you can restore it to some previous state. Explore all available options carefully.I recovered my files—what next?
I recommend following this 4-step strategy:
1. First of all, you have to identify where the infection is (e.g., database, script files, .php code, etc.) and remove it. Infection might be presented as some static code in the .js file (usually at the beginning or end of the file), or bad code can be injected onto website pages in the database. Besides that, a virus can dynamically generate malicious contents using PHP scripts, or the hack can even be present on the web server side if the whole host is compromised. You also need to check your DNS configuration and settings. In some cases, your registrar account might get hacked and attackers can forward the web traffic to your website through their malicious proxy, injecting some 'malvertising' content on the way. In summary, you need to check any side services that are used on your website, and any that allow customization, like Google Tag Manager (GTM), for example. (There have been cases when a Google account was compromised and attackers added a malicious payload as a custom script in GTM.)
2. You need to close or patch all software vulnerabilities on your website. If you can not do that right away after the cleanup, you can ask your host to temporarily put your website into read-only mode. This should prevent reinfections while you are working on the resolution
3. If you have any other websites hosted on the same hosting account, you should perform all cleanup steps and checks on all websites on the hosting account. Otherwise, infected neighbors can quickly reinfect your freshly-cleaned website.
4. Do all checks and change all your passwords after everything has been cleared, as mentioned above.Conclusion
P.S. I will look at manual malware cleanup steps in forthcoming articles, so watch this space!
Written by Andrey Kucherov, Malware Analyst at Imunify360